The Act on the Protection of Personal Information (Act No. 57 of 2003) ("APPI").

Note: The key legislation governing privacy in Japan is the Act on the Protection of Personal Information (Act No. 57 of 2003) ("APPI").

The APPI prescribes protocols for both government and private-sector entities for the management of personal information.  In the private sector, it provides general rules concerning the protection of personal information and regulates the handling (collection, storage, and use) of personal information. Note that this document focuses on the private sector - i.e., Business Operator Handling Personal Information. 

The APPI protects personal information, which is defined as information about a living individual that falls under any of the following items:

• information containing a name, date of birth or other descriptions whereby a specific individual can be identified (including information allowing easy reference to other information that would thereby enable identification of the individual); or
• information containing an individual identification code, which is a code, including characters, numerical characters and marks, that can be used to identify a specific individual and which is specified in a cabinet order (e.g., biometric identifiers such as fingerprint data or face recognition data, passport or driving license numbers).

Note: Personal Information is protected under the APPI. In addition, under the APPI, two categories of Personal Information are defined: “Personal Data”; and “Retained Personal Data.”  These three terms, which are subject to different rules under the APPI, are defined in the APPI as follows:

Personal Information: information about a living individual that falls under any of the following items:

•  information containing a name, date of birth or other descriptions whereby a specific individual can be identified (including information allowing easy reference to other information that would thereby enable identification of the individual); or
• information containing an individual identification code, which is a code, including characters, numerical characters and marks, that can be used to identify a specific individual and which is specified in a cabinet order (e.g., biometric identifiers such as fingerprint data or face recognition data, passport or driving license numbers).

Personal Data: Personal Information contained within a personal Information Database.  A Personal Information Database is a collection of information including Personal Information as set forth below:

• a collection of information systematically arranged in such a way that specific Personal Information can be retrieved by a computer; or
• any other collection of information designated by Cabinet Order as being systematically arranged in such a way that specific Personal Information can be easily retrieved. Specifically, the Cabinet Order designates any information systematically arranged in such a way that specific Personal Information can be easily retrieved by (i) organizing the Personal Information contained in it according to certain rules; and (ii) including a table of contents, an index, or other arrangements that aid retrieval.

Retained Personal Data: Personal Data for which a Business Operator Handling Personal Information has the authority to disclose, correct, add or delete content, discontinue utilization, erase, or discontinue provision to a third party, excluding

data specified by Cabinet Order as data the knowledge of which would be harmful to the public interest or other interests.

The APPI also sets forth rules on several categories of information as follows:

Anonymously Processed Information: Information relating to an individual that can be produced by processing Personal Information so as not to be able to identify a specific individual and not to restore such Personal Information, pursuant to the provisions of the APPI and the PPC rules.

Pseudonymously Processed Information: Information relating to an individual that can be produced by processing Personal Information so as not to be able to identify a specific individual unless combined with other information,  pursuant to the provisions of the APPI and the PPC rules.

Personally Referable Information: Information that relates to a living individual and does not fall under Personal Information, Pseudonymously Processed Information or Anonymously Processed Information.

The APPI applies to any person using a Personal Information Database for a business. 

Note: The APPI applies to a “Business Operator Handling Personal Information.” as well as (i) state organs and (ii) local governments. Note that this document focuses on the private sector - i.e., Business Operator Handling Personal Information. 

Under the APPI, a “Business Operator Handling Personal Information” is defined as any person using a Personal Information Database for business other than the following entities: (i) incorporated administrative agencies and the like and (ii) local independent administrative institutions.
 

Personal Information must not be collected by deception or other wrongful means. Generally, once a Business Operator handling Personal Information has collected Personal Information, it must notify the individual of or publicly announce the Purpose of Use.

Note: The following restrictions apply to the collection of Personal Information:

• Proper Acquisition
  • A Business Operator Handling Personal Information must not acquire Personal Information by deception or other wrongful means.
• Notice of the Purpose of Use at the Time of Acquisition
  • Once a Business Operator Handling Personal Information has acquired Personal Information, it must notify the individual of or publicly announce the Purpose of Use, except in cases where the Purpose of Use has already been publicly announced or where any of the following requirements are met:
    • where the notification or public announcement of the Purpose of Use is likely to cause harm to the life, body, or property or to any rights or interests of an individual or a third party;
    • where the notification or public announcement of the Purpose of Use is likely to harm the rights or legitimate interests of the Business Operator Handling Personal Information;
    • where cooperation with a state agency, local government or a third party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and where the notification or public announcement of the Purpose of Use is likely to impede the execution of such affairs; and
    • where the Purpose of Use is evident from the situation surrounding the collection of Personal Information.
• Sensitive Information

As a general rule, Business Operators Handling Personal Information must not obtain sensitive information without the individual’s prior consent. Sensitive information means personal information comprising the relevant person’s race, creed, social status, medical history, criminal record, the fact of having suffered damage as a result of a crime, or other descriptions prescribed by cabinet order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the relevant person.

When handling Personal Information, a Business Operator Handling Personal Information must specify the Purpose of Use of Personal Information to the extent possible and must not use Personal Information beyond the scope necessary to achieve the Purpose of Use without obtaining the individual’s prior consent.  In addition, as a general rule, a Business Operator Handling Personal Information may not provide Personal Data to a third party without obtaining the individual’s prior opt-in consent.

Note: Restriction by the Purpose of Use

When handling Personal Information, in addition to specifying the Purpose of Use of Personal Information (see above), a Business Operator Handling Personal Information is required to comply with the following rules:

• A Business Operator Handling Personal Information must not change the Purpose of Use beyond the scope that is reasonably related to the Purpose of Use before the change.
• As a general rule, a Business Operator Handling Personal Information must not use Personal Information beyond the scope necessary to achieve the Purpose of Use without obtaining the individual’s prior consent. Exceptions to the general rule apply in the following cases:
  • where the handling of Personal Information is required by laws and regulations;
  • where the handling of Personal Information is necessary for the protection of the life, body, or property of an individual and where obtaining the person’s consent is difficult;
  • where the handling of Personal Information is necessary for the improvement of public health or promotion of the sound growth of children and where obtaining the person’s consent is difficult; or

  • where cooperation with a state agency, local government or a third-party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and where obtaining the person’s consent is likely to impede the execution of the affairs concerned;

  • where the Business Operator Handling Personal Information is an academic research institution and there is a need to handle Personal Information for the purpose of academic research (except where the individual’s rights or interests may be unfairly harmed); or
  • where the Business Operator Handling Personal Information provides Personal Data to an academic research institution that has a need to handle such Personal Data for the purpose of academic research (except where the individual’s rights or interests may be unfairly harmed).
• A Business Operator Handling Personal Information must not use Personal Information in a manner that may encourage or induce any illegal or unjust activities.

Disclosure or sharing of Personal Data with third parties

As a general rule, a Business Operator Handling Personal Information may not provide Personal Data to a third party without obtaining the individual’s prior opt-in consent. Exceptions to the general rule apply in the following cases:

• where the provision of Personal Data is required under laws and regulations;
• where the handling of Personal Data is necessary for the protection of the life, body, or property of an individual and where obtaining the person’s consent is difficult;
• where the handling of Personal Data is necessary for the improvement of public health or promotion of the sound growth of children and where obtaining the person’s consent is difficult;
• when cooperating with a state agency, local government or a third party commissioned by a state or local agency to conduct certain affairs specified by the laws and regulations and obtaining the person’s consent is likely to impede the execution of the affairs concern;

• where cooperation with a state agency, local government or a third-party commissioned by a state or local agency is necessary to conduct certain affairs specified by laws and regulations and where obtaining the person’s consent is likely to impede the execution of the affairs concerned;

• where the Business Operator Handling Personal Information is an academic research institution and there is a need to handle Personal Information for the purpose of academic research (except where the individual’s rights or interests may be unfairly harmed); or

• where the Business Operator Handling Personal Information provides Personal Data to an academic research institution that has a need to handle such Personal Data for the purpose of academic research (except where the individual’s rights or interests may be unfairly harmed).

Opt-out option: A Business Operator Handling Personal Information may provide Personal Data (excluding Sensitive Information) to a third party without obtaining the individual’s prior consent if the Business Operator Handling Personal Information, in advance, notifies the individual of the following information or makes the information “readily available” to the individual, and notifies the PPC (Personal Information Protection Commission) of all of the following information: (i) its name and address (in addition, if the Business Operator Handling Personal Information is a legal entity, the name of its representative); (ii) the fact that the provision to a third party is a Purpose of Use; (iii) the items of the Personal Data to be provided to a third party; (iv) the method of provision to a third party; (v) the method of acquisition of the Personal Data; (vi) the fact that the provision of such Personal Data as will lead to the identification of the individual to a third party will be discontinued at the request of the individual to opt-out; (vii) the method of receiving the request; (viii) the method of updating the Personal Data; and (ix) the commencement date of the provision of the Personal Data. 

Other Exceptions:

• If the Personal Data are transferred as a result of a merger, acquisition, or similar succession transaction, the recipient of Personal Data is not deemed a “third-party.”
• Service provider exception: If the Personal Data are transferred as a result of a commission of a third-party service provider by a Business Operator Handling Personal Information for all or part of the processing of the Personal Data that is necessary to achieve the Purpose of Use, and the service provider does not process the data for its own Purpose of Use, such service provider is not deemed a “third-party.” 
• If a Business Operator Handling Personal Information either notifies an individual in advance of the following information or ensures that the information is made readily available for the individual in advance, the Business Operator Handling Personal Information may use Personal Information jointly with another specific individual or entity without the individual’s prior consent:
  • The fact that Personal Data may be shared with and used jointly by specific individuals or entities;
  • the items of the Personal Data used jointly;
  • the scope of the joint users;
  • the purpose for which the Personal Data is used; and
  • the name and address of the individual or business operator (from among the joint users) that is responsible for the management of the Personal Data (in addition, if it is a legal entity, the name of its representative). 

The APPI also sets forth rules concerning Personally Referable Information, which includes location data and cookie data. In cases where a Business Operator Handling Personal Information who has collected Personally Referable Information aims to disclose such information to a third party and such third party is expected to identify one or more specific individuals by using such Information; in that case, the receiving party must obtain consent from the individual and the providing party must confirm whether such consent has been obtained.   In addition, where the receiving party is in a foreign country, it must disclose, and the providing party must confirm the disclosure of, the following information when attempting to obtain the individual’s consent to the transfer:

• a summary of the legal system related to the protection of personal information in the foreign country to which personally referable information will be transferred;
• an outline of specific measures the third party is implementing or will implement to protect the personal information; and
• other information that may be helpful to the individual.

Business Operators Handling Personal Information must take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data. Business Operators Handling Personal Information must endeavor to delete personal data without delay when its use is no longer required.

Note: Under the APPI, Business Operators Handling Personal Information are required to take security control measures concerning Personal Data. The APPI imposes a broadly stated obligation on Business Operators Handling Personal Information to “take necessary and proper measures for the prevention of leakage, loss, or damage, and for other security control of the Personal Data.” There are no concrete measures specified in the APPI for satisfying this requirement. However, it is generally understood that security control measures required by the APPI include: (i) organizational measures; (ii) employee-related measures (e.g., training of personnel); (iii) physical measures; and (iv) technical measures.  Concrete actions under each type of measure are stipulated in the guidelines established by the PPC.

Business Operators Handling Personal Information must endeavor to delete personal data without delay when its use is no longer required.
 

A Business Operator Handling Personal Information must make certain matters accessible to individuals whose Retained Personal Data is retained.  An individual may request a Business Operator Handling Personal Information to disclose, correct or stop using, etc. relevant Personal Data in certain circumstances.

Note: A Business Operator Handling Personal Information must comply with the following rules:

• A Business Operator Handling Personal Information must make the following details accessible to individuals whose Retained Personal Data is retained: (i) the name of the Business Operator Handling Personal Information; (ii) the Purpose of Use (except in specified circumstances); (iii) procedures for requesting a correction to Retained Personal Data or to stop the use or sharing of, or to erase, Retained Personal Data, as well as procedures for other requests; and (iv) other matters, as specified by Cabinet Order, that are necessary to ensure the proper handling of Retained Personal Data. The matters under (iv) include an outline of security control measures taken with respect to Retained Personal Data.
• An individual can request that a Business Operator Handling Personal Information disclose any Retained Personal Data of the individual; and if requested, the Business Operator Handling Personal Information must disclose any relevant Personal Data without delay. The same shall apply to records of data provision or receipt, which must be prepared and stored, pursuant to the provisions of the APPI.
• An individual can request that a Business Operator Handling Personal Information correct, add to, or delete Retained Personal Data of the individual if they are inaccurate; and if requested, the Business Operator Handling Personal Information must investigate the issue without delay.  Based on the result of the investigation, the Business Operator Handling Personal Information must correct, add to, or delete the Retained Personal Data concerned. The Business Operator Handling Personal Information must notify the individual of its response to the request.
• An individual can request that a Business Operator Handling Personal Information stop using or disclosing Retained Personal Data on the basis that (i) the Business Operator Handling Personal Information is violating certain provisions of the APPI; (ii) it is no longer necessary to use or disclose Retained Personal Data; (iii) certain leakages or other incidents concerning Retained Personal Data have occurred; or (iv) the rights or legitimate interests of the individual may be harmed; and if requested, the Business Operator Handling Personal Information must stop using or disclosing the Retained Personal Data concerned if the request is reasonable.

In principle, the APPI restricts the provision of personal data to third parties in a foreign country without the relevant individual’s prior consent.

When obtaining the relevant individual’s prior consent to a cross-border data transfer, a Business Operator Handling Personal Information is required to disclose to the individual the following matters: (i) the name of the country in which the third party is located; (ii) information relating to the legal system for protecting Personal Information in the foreign country; and (iii) information relating to specific measures to protect Personal Information that are being or will be taken by the third party.

Note: In principle, the APPI restricts the provision of personal data to third parties in a foreign country without the relevant individual’s prior consent.

The exceptions to the prior consent requirement include the following:

• With respect to a third party that is a recipient of personal data, the prior consent requirement does not apply to the transfer of personal data to such operators with a management system conforming to the standards set out in the PPC rules. The PPC rules currently provide two categories of exempt recipient operators:
  • a recipient operator, together with another operator that is the transferor of personal data to such recipient operator, ensures compliance with relevant provisions of the APPI by taking appropriate and reasonable measures between the transferor operator (in this case, the Business Operator Handling Personal Information must (i) continuously take necessary measures as set forth in the PPC rules to ensure the recipient operator’s compliance with relevant provisions of the APPI and (ii) disclose certain information upon the individual’s request, such as an outline of the recipient operator’s methods for compliance, the name of the country where the recipient operator is located, and an outline of the country’s legal regime that could affect the recipient operator’s compliance); and
  • a recipient operator that has obtained recognition based on an international framework concerning the handling of personal information (e.g., recognition by the APEC Cross-Border Privacy Rules).
• With respect to a foreign country where a recipient is located, the prior consent requirement does not apply to countries that are specified in the PPC rules as having a system for the protection of personal information equivalent to that required under Japanese law. The EEA and UK have been designated by the PPC as exempted regions as of January 2022.

In certain data breaches, a report must be submitted to the PPC and a notification submitted to the affected individuals under the APPI.  

Note:

Under the APPI and the PPC rules, where any leakage, loss, or damage of Personal Data (“Data Breach”) that falls under the following thresholds occurs, may occur, or may have occurred, in principle, a Business Operator Handling Personal Information is required to report the fact to the PPC and notify the affected individuals of the fact, regardless of whether the business operator caused the Data Breach intentionally or negligently. 

• Data Breach containing Sensitive Information;
• Data Breach that is likely to cause proprietary damage as a result of an unauthorized use of the Personal Data;
• Data Breach that may have occurred for an improper purpose; or
• Data Breach that involves the Personal Data of more than 1,000 individuals.

With respect to reports to the PPC, there is a two-stage deadline applicable to initial reports and final reports.  The Business Operator Handling Personal Information must (i) promptly (approximately within 3 to 5 days) report to the PPC the matters of which the business operator is aware at the time of the report, and (ii) make a final report to the PPC within 30 days (or, in the case of a Data Breach that may have occurred for an improper purpose, 60 days), after someone at the business operator becomes aware of the potential or actual Data Breach.  The final report must include the following information:

• an outline of the Data Breach;
• types of affected Personal Data;
• the number of affected individuals;
• the cause of the Data Breach;
• whether any secondary damage will occur or is likely to occur, and if so, the details of the secondary damage;
• the status of communications with the affected individuals and a public announcement;
• the measures for preventing a recurrence; and
• other matters for reference.

With respect to notifying the affected individuals, a Business Operator Handling Personal Information must promptly issue a notification and provide an outline of the Data Breach to the extent necessary to protect the individual’s rights and interests (depending on the circumstances of the Data Breach).  However, if the business operator makes information about the Data Breach publicly available or establishes a contact point and discloses the contact’s information, the notification will not be required.

Under the APPI, the Personal Information Protection Commission (PPC).

Note: Under the APPI, the PPC is responsible for its enforcement in the private sector. The PPC can request reports and issue recommendations and orders, as well as conduct on-the-spot inspections.

The PPC may request reports on the handling of Personal Information, and they may issue recommendations or corrective orders.  A breach of a corrective order is a criminal offense, punishable by imprisonment with work for not more than one year, or a fine of not more than ¥100,000,000.

Note: Under the APPI, the PPC may request reports on the handling of personal information and may issue recommendations or corrective orders if a Business Operator Handling Personal Information breaches an individual’s privacy and violates the APPI.

Before issuing a corrective order, the PPC may take an incremental approach and instruct, advise and make recommendations to business operators governed by the APPI.  A breach of a corrective order is a criminal offense and the person responsible may be punished by imprisonment with work for a maximum of one year or a maximum fine of ¥1,000,000. A Business Operator Handling Personal Information that has violated said act will also be subject to a maximum fine of ¥100,000,000.

The Specified E-Mail Act regulates the transmission of e-mail as a means of advertising sales activities, and the Act on Specified Commercial Transactions, in the case of online selling, in principle, prohibits a company from transmitting certain types of e-mail advertisement without obtaining the customer’s consent.

Note: The Act on Specified Commercial Transactions (Act No. 57 of 1975) ("ASCT").

Under the ASCT, in principle, a company must not provide an advertisement of its sales terms by e-mail without the customer’s prior request or consent.  When a company provides such advertisement by e-mail with the customer’s consent, the company must record and preserve the consent.  The ASCT also contains rules for other forms of marketing, such as telemarketing, mail order sales, multilevel marketing, and offers for the provision of certain long-term services.

The Act on the Regulation of Transmission of Specified Electronic Mail (Act No. 26 of 2002) ("Specified E-Mail Act")
The Specified E-Mail Act regulates the transmission of e-mail as a means of the advertisement of sales activities (Specified E-mail).  Under this law, a company, in principle, must not transmit Specified E-mail without the customer’s prior request or consent.  The content of the regulation is similar to ASCT.
 

1. The European Commission decided that Japan ensures an adequate level of protection of personal data pursuant to Article 45 of the GDPR (the “Adequacy Decision”) in January 2019. Considering the differences between the APPI and the GDPR, and in order to ensure a high level of protection of an individual’s rights and interests, the PPC has issued supplementary rules under the APPI for handling personal data that are transferred from the EU based on the Adequacy Decision (the “Supplementary Rules”). With respect to personal data that are transferred from the EU based on the Adequacy Decision, the Supplementary Rules provide special rules on the (i) scope of sensitive information; (ii) scope of retained personal data; (iii) obligation to confirm and make a record of the purpose of use and restriction based on the purpose of use; (iv) restriction on onward transfer (provision of personal data to a third party in a foreign country); and (v) scope of anonymously processed information.

2. When the APPI was amended in 2015, it was also provided that the APPI shall be subject to triennial review”. The first review was conducted and discussed, and the APPI was amended in 2020.

   The 2020 amendment to the APPI was enacted on June 5, 2020, and promulgated on June 12, 2020, and significant parts of the amendment entered into force on April 1, 2022.

   Further, the 2021 amendment to the APPI was enacted on May 12, 2021, and promulgated on May 19, 2021.  A part of the 2021 amendment also entered into force on  April 1, 2022.  The 2021 amendment largely dealt with the public sector and academic research institutions, and the changes to provisions regarding the private sector mainly involve article numbering.